On Thu, Aug 31, 2006 at 04:51:26PM -0400, Peter Jay Salzman wrote:
> i'm getting hammered with email containing text designed to trick bayesian
> filters. unfortunately, it appears to be quite successful in that endeavor.
> the email text is nonsensical, however the email has a gif image attachment.
>
> at first, the gif was always named "image001.gif", and i was able to REJECT
> such emails when Postfix detected a gif attachment named "image001.gif".
> but whoever is sending this got smarter and now the gif file is named all
> kinds of things.
>
> i'm not quite sure how to filter these things anymore other than to REJECT
> all gif attachments, which I'd prefer not to do if i can help it..
>
> the gif image itself is mostly white with a few colored "threads" here and
> there. i certainly don't see any text, so i'm not quite sure what their
> purpose is. perhaps it's some kind of virus?
>
> anyone else seeing these things? i'm getting them a few times a day now.
Well, since I work for the leading manufacturer* of spam filter
appliances... I can tell you some of the avenues we've pursued for
dealing with this. Note that these are features-in-progress, and not
necessarily features that are currently or will at some point be
available. To my knowledge, none of this information is confidential.
----
One method for dealing with this is to obtain a checksum of all image
attachments within all emails that are reported to be spam, and place it
in a database. Then, whenever we receive an email, we get checksums of
each image, and check it against the database. If we find
the checksum, it's spam.
I don't know if there's a public database of this type somewhere. I
wouldn't be surprised if there were. If there isn't, you can at least
keep track of the attachments you've already seen in your own local
database, and use that to throw future emails out.
----
Another method is to do OCR on the image, and check the results against
SpamAssassin-style rules. For my money, I'd probably do bayes and intent
checks (via spamhaus.org) against it as well. In fact, I would not be
surprised if we end up doing that here at some point.
>From what I understand, we are using GNU Ocrad for this.
* Barracuda Networks, Inc. http://www.barracudanetworks.com/
Since I've mentioned some things regarding my employer, it's probably
best to mention that anything I've said or opinions I have are strictly
my own words or views, and not necessarily those of Barracuda Networks,
Inc. :-)
--
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer...
http://micah.cowan.name/
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech